SysArchitects - EPELhttps://www.sysarchitects.com/topic/epel
enUsing a Proxy to Access EPEL from an Internal Networkhttps://www.sysarchitects.com/using-proxy-access-epel-internal-network
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>I had some RHEL6 boxes on an internal network that had no access to the internet. But I wanted to install packages from <a href="http://fedoraproject.org/wiki/EPEL">EPEL</a> via yum. The answer was to set up a proxy server and tell these internal boxes to use the proxy. Approach:</p>
<ol>
<li>Set up Squid proxy on a server that has access to the internet</p>
<li>Configure Squid to only accept requests from my network
<li>Configure Squid to require a username and password, even on my network
<li>Install EPEL repository settings on the client
<li>Tell client to use the proxy</ol>
<h2>Set Up Squid</h2>
<p>I'm using RHEL6. So installing Squid is just <code>yum install squid</code> and ensuring it will start up when the box is booted is <code>chkconfig squid on</code>.</p>
<h2>Lock Down Squid</h2>
<p>My paranoia level is high, so I commented out all the example rules and only added my network, 198.51.100.0/24:</p>
<div class="codeblock"><code># Example rule allowing access from your local networks.<br /># Adapt to list your (internal) IP networks from where browsing<br /># should be allowed<br />#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<br />#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<br />#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network<br />#acl localnet src fc00::/7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # RFC 4193 local private network range<br />#acl localnet src fe80::/10&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # RFC 4291 link-local (directly plugged) machines<br />acl localnet src 198.51.100.0/24 # My internal network</code></div>
<p>Just because, I commented out all the ports except 80 and 443, too.</p>
<h2>Require a Username and Password</h2>
<p>Even though it's on my local network, I wanted the proxy to require authentication. I'm not very concerned about encryption here so I used HTTP Basic authentication, which means I had to tell Squid to use the plugin that supports it. I added the following to the top of <code>/etc/squid/squid.conf</code>:</p>
<div class="codeblock"><code># Tell Squid to use ncsa_auth<br />auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squidcredentials<br />auth_param basic realm Squid<br />acl authenticated_acl proxy_auth REQUIRED</code></div>
<p>I also changed the line</p>
<div class="codeblock"><code>http_access allow localnet</code></div>
<p>to</p>
<div class="codeblock"><code>http_access allow localnet authenticated_acl</code></div>
<p>This tells squid that clients on the 198.51.100.0 network must authenticate to use the proxy.</p>
<p>Then I created the file at <code>/etc/squid/squidcredentials</code>. This file holds the username and password:</p>
<div class="codeblock"><code>htpasswd -c /etc/squid/squidcredentials foo<br />New password: mysecretpassword<br />Re-type new password: mysecretpassword<br />Adding password for user foo</code></div>
<p>A hole needs to be poked in the firewall to allow hosts on the internal network to reach squid on port 3128:</p>
<div class="codeblock"><code>iptables -I INPUT 4 -p tcp -s 198.51.100.0/24 --dport 3128 -m state --state NEW -j ACCEPT<br />service iptables save</code></div>
<p>Squid needs to read the changes in <code>/etc/squid/squid.conf</code>, and an easy way to do that is to restart squid:</p>
<div class="codeblock"><code>service squid restart<br />Stopping squid: ..................................................<br />Starting squid:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&nbsp; OK&nbsp; ]</code></div>
<h2>Install EPEL Repository Settings on the Client</h2>
<p>This part is easy. Get the <a href="http://download.fedoraproject.org/pub/epel/6/i386/repoview/epel-release.html">EPEL repository rpm</a> and move it onto the client. Then install it with rpm:</p>
<div class="codeblock"><code>rpm -Uvh epel-release-6-8.noarch.rpm</code></div>
<h2>Tell Client to Use the Proxy</h2>
<p>The epel-release installation placed a file in <code>/etc/yum.repos.d/epel.repo</code>. Edit this file and add the following three lines to the end of the [epel] section:</p>
<div class="codeblock"><code>proxy=http://username:password@proxy.example.com:3128/</code></div>
<p>where proxy.example.com is the IP or DNS name of the proxy server that was set up.</p>
<p>If everything went well, you can now use <code>yum update</code> on the client and it will happily find the EPEL repository:</p>
<div class="codeblock"><code># yum update<br />epel/metalink&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp; 14 kB&nbsp;&nbsp;&nbsp;&nbsp; 00:00&nbsp;&nbsp;&nbsp;&nbsp; <br />epel&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | 4.3 kB&nbsp;&nbsp;&nbsp;&nbsp; 00:00&nbsp;&nbsp;&nbsp;&nbsp; <br />epel/primary_db&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | 5.0 MB&nbsp;&nbsp;&nbsp;&nbsp; 00:34&nbsp;&nbsp;&nbsp;&nbsp; <br />Setting up Update Process<br />No Packages marked for Update</code></div>
<p>If there is a typo in the password on the client, instead of the above you'll see something like</p>
<div class="codeblock"><code>Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&amp;arch=x86_64 error was<br />14: PYCURL ERROR 22 - &quot;The requested URL returned error: 407&quot;</code></div>
<p>References:</p>
<p><a href="http://www.cyberciti.biz/tips/howto-rhel-centos-fedora-squid-installation-configuration.html">Install Squid Proxy Server on CentOS / Redhat enterprise Linux 5</a><br />
<a href="http://yajith.blogspot.com/2008/11/enabling-basic-authentication-in-squid.html">Enabling basic authentication in Squid</a></p>
</div></div></div><div class="field field-name-taxonomyextra field-type-taxonomy-term-reference field-label-above"><div class="field-label">Topic:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/taxonomy/term/35">RHEL6</a></div><div class="field-item odd"><a href="/topic/epel">EPEL</a></div><div class="field-item even"><a href="/topic/squid">Squid</a></div><div class="field-item odd"><a href="/topic/proxy">proxy</a></div></div></div>Tue, 29 Jan 2013 16:21:50 +0000John170 at https://www.sysarchitects.comhttps://www.sysarchitects.com/using-proxy-access-epel-internal-network#comments